Zurich Insurance CEO Mario Greco recently made an eye-opening statement in a Financial Times interview: “What will become uninsurable is going to be cyber,” he said. He elaborated, “What if someone takes control of vital parts of our infrastructure, the consequences of that? There must be a perception that this is not just data . . . this is about civilisation. These people can severely disrupt our lives.”
As one who has made defending the nation in cyber my professional mission and passion, I couldn't agree more with Mr. Greco. We are running the risk of cyber becoming uninsurable if we do not act now to transform how we approach cybersecurity.
Think about it: The potential disruptive effects of a cyber attack on critical infrastructure are fundamentally no different from the impact of weather-related or other unforeseen events. Many of us recently heard about the widespread power outage in North Carolina (near my old stomping grounds of Fort Bragg) caused by targeted gunfire on a key substation, leaving more than 40,000 residents without power for four days. A similar type of physical sabotage on four substations happened in Washington state a few weeks later.
When these types of power shutdowns happen, the energy sector immediately responds collectively, as do the insurance companies. No one can forget last year’s deadly and costly deep freeze in Texas. Utility crews from multiple states and companies quickly came together to respond with mutual aid. Facing such an emergency — where lives are gravely on the line and every minute matters — no utility executive questions their company’s competitive edge. There are no silos. Instead, they’re in it together to restore power and save lives as quickly as possible.
So why are we not taking this same collaborative approach to cyber? Certainly the effects of a cyber-related grid takedown would mimic those of a weather-related grid shutdown. There is one major difference between cyber attacks and devastating superstorms, however. It is this: No one can stop Mother Nature in her unpredictable path. Many cyber attack campaigns, by contrast, can be detected and curtailed before they reach the stage of disruption or destruction. Today there even is a way to detect command-and-control (C2) infrastructure — aka the “brains” behind most cyber attacks — as it is being stood up before an attack happens.
For this proactive posture to work, however, energy companies must come together in the form of Collective Defense to detect the incipient stages of an attack — left of boom — and enable an early-warning system for all.
A Collective Defense approach is more imperative now than ever, as insurance companies are looking to drop cybersecurity coverage for nation-state cyber attacks. Lloyd’s of London, for instance, has announced that it will require its underwriters, globally, “to exclude catastrophic state-backed hacks from stand-alone cyber insurance policies,” starting in March 2023.
If cyber attacks do become largely uninsurable, what should energy companies do to batten the hatches of their network infrastructure to mitigate cyber risk and the expense of recovery?
There are two ways to facilitate a Collective Defense approach to cybersecurity — an approach to strengthens the security posture of all:
Think about a cyber heist: ransomware. In a typical ransomware attack (with phishing as the attack vector, for example), the threat actor often begins by trying to steal a user’s network credentials through a phishing email that redirects the user to a legitimate-looking phishing site. Once harvesting the credentials, the attacker uses them to gain access to the target network and drop a simple executable on the victim system. This executable enables the attacker to establish C2 and gain a foothold in the target network, where they can then hang out undetected to conduct reconnaissance and plan their end-game attack. After exfiltrating data of interest, the threat actor drops the ransomware payload that encrypts victim information and impedes recovery until a ransom is paid.
In this scenario, an organization can sound an alarm well before the attack affects the organization by employing behavioral analytics that detect anomalous behaviors on the network. Armed with behavioral analytics, cyber defenders gain crucial time to stave off the attacker before they reach their endgame. IronNet's IronRadar threat intel solution, for example, detects C2 infrastructure as it is being set up — before the attack.
Sharing these alerts — anonymously — across a Collective Defense community generates actionable attack intelligence that benefits everyone in real time. In short, attack intelligence (compared to traditional threat intelligence) reveals what is happening in your network vs. what could happen. Timely and relevant, it can be used to create a radar-like view of cyber threats so a Collective Defense community for the energy sector can see where attacks are happening — and alert the government in real time, if necessary, for national defense.
One of the frustrations I had when I led U.S. Cyber Command was that we couldn’t see attacks on our country’s critical infrastructure, most of which is owned by the private sector. When it comes to a cyber attack on the nation’s grid or other mission-critical infrastructure like healthcare or financial services, it’s imperative to have visibility and situational context of real-time cyber threats in order to defend the nation. The limitation with traditional threat-sharing models is that threat intelligence often comes too late for rapid response.
This backdrop is one reason why the U.S. Cyberspace Solarium Commission issued the following call to action in March 2020:
“The U.S. government and industry ... must arrive at a new social contract of shared responsibility to secure the nation in cyberspace. This ‘collective defense’ in cyberspace requires that the public and private sectors work from a place of truly shared situational awareness and that each leverages its unique comparative advantages for the common defense.”
Similarly, the Biden Administration has issued similar appeals. In May 2021, the Executive Order on Improving the Nation’s Cybersecurity continued the drumbeat set forth by the Solarium Commission: “[C]ybersecurity requires more than government action. Protecting our Nation from malicious cyber actors requires the Federal Government to partner with the private sector. The private sector must adapt to the continuously changing threat environment, ensure its products are built and operate securely, and partner with the Federal Government to foster a more secure cyberspace” (E.O. § 2).
Now more than a year after these calls to action, I’m still advocating as strongly as I can for companies and organizations to adopt a Collective Defense strategy now that the technology is available to do so — not to mention the increased cyber risk level. This approach is not limited to just the energy sector. Imagine healthcare organizations or financial institutions all working together to protect their sector at large.
Indeed, cyber insurers are taking note of the escalating risks of cyber. Let's transform cybersecurity through Collective Defense to better protect the nation's grid before a devastating attack occurs, making "cyber mutual aid" a proactive effort instead of a reactive one.